Cyber-attacks and cybercrime are increasing both in terms of volume and sophistication across Europe. In response, the European Union (EU) has introduced a new legislation called the NIS2 (a.k.a. Directive (EU) 2022/2555) that mandates organizations operating within the EU to adopt a higher level of network and infrastructure security.
The NIS2 supersedes the 2016/1148 directive (a.k.a. the NIS Directive), which was the EU’s first cybersecurity law and widens its scope by including a broader set of organizations to comply with this law and imposing stricter security obligations on these identified entities.
Which Organizations Does the NIS2 Apply To?
The NIS2 applies to any organization that operates within the EU (including those based outside but offering services within the Union) and is deemed an “essential entity”. Businesses that operate in this service high-criticality” like the energy and transportation sector, banking and financial market infrastructures, healthcare providers, drinking and wastewater treatment and disposal, digital infrastructure (internet providers, cloud computing companies, DNS service providers, etc.), ICT service management as well as “other critical sectors” such as postal and courier services, chemicals, food processing and distribution, manufacturing industries, digital providers (search engines, social media, online marketplaces) and research are classified as “essential entity” because any disruption in these services can lead to dire consequences for the country, region or society at large.
In addition, NIS2 recommends that EU Member States identify “important entities” -- those that do not qualify as an essential entity (due to their size or the type of entity involved) although their disruption can have a major cascading effect on the country or society.
The key difference between essential entities is that essential entities fall under proactive supervision while important entities will be monitored only after a non-compliance incident is reported. All in all, legislation is estimated to directly impact about 160,000 organizations across Europe.
Who Does NIS2 Exempt?
The NIS2 legislation introduces a “size-cap rule” to identify regulated industries. Public and private organizations that qualify as medium or large enterprises (i.e. an annual global turnover of €10 million or more (close to $11 million) and more than 250 employees) will fall under the NIS2 purview. This means that small organizations are currently exempt. That said, certain categories of businesses fall within the scope of the NIS2 regardless of their size -- providers of public electronic communications, trust service providers, top-level domain name registries and domain name system service providers. The text also specifies that the Directive does not apply to public administration entities that conduct activities such as defense or national security, public security, law enforcement and the judiciary.
How Can Organizations Achieve NIS2 Compliance?
Article 21 of the NIS2 specifies an “all hazards approach” that essential and important entities must implement to mitigate and manage risks posed to the security of network and information systems and their users. Some of the key measures specified in this approach include:- Adopt A Governance Framework
Organizations must establish a robust framework that outlines protocols, policies and procedures that are necessary to achieve and maintain NIS2 compliance. Assign clear accountability for cybersecurity across all levels of the organization and establish clear rules, processes and controls for risk identification, mitigation, and incident response.
- Deploy Cybersecurity Measures
Organizations must deploy appropriate and proportionate technical, operational, and organizational measures to protect network and information systems. These include measures like multi-factor authentication, intrusion detection and prevention systems, managed detection and response, web filtering, cloud security, encryption using services like PKI certificates, etc. Since a majority of attacks originate from human error, NIS2 also emphasizes that organizations improve security knowledge, awareness and behavior in employees (Article 20).
- Conduct Risk Assessments
Performing a risk assessment helps assess the effectiveness of cybersecurity measures and identify potential vulnerabilities and threats to network and information systems. The assessment must include both external and internal risks such as malware infection, unauthorized access, human error, and natural disasters. Understanding the risks that the organization faces and prioritizing them will help design effective cybersecurity measures.
- Supply Chain Security
Supply chain attacks have increased dramatically over the years. NIS2 requires that businesses understand and assess potential risks, establish close relationships with high-risk suppliers and continuously update their security measures to ensure security coverage. It is also important that key suppliers and partners are made aware of the risks, and they too mirror the security strategies and measures adopted by the principal.
- Incident Response, Recovery and Reporting
NIS2 requires that organizations adopt robust incident handling processes that help organizations reduce the impact, recover faster, and build resilience over time (for instance clear incident response procedures with roles and responsibilities, backup and recovery infrastructure, malware containment and eradication). Moreover, NIS2 mandates (Article 23) organizations to notify a reporting authority within 24 hours of the awareness of the incident, submit an initial assessment in 72 hours and a month, and submit a final report that summarizes root causes, overall impact and relevant mitigations implemented.
A Platformed-approach to Cybersecurity Can Help
For cybersecurity professionals, every day is a race against time and resources. Delivering a timely and effective defense requires organizations to deliver a coordinated response across multiple sites, users, applications, systems, cloud environments and much more. Unfortunately, siloed security models have become too complex, cumbersome, and ineffective at delivering a coordinated defense. This is why a majority of organizations are pursuing platforms like SASE (security access service edge) as it offers a range of security services like intrusion prevention, anti-malware, next-generation firewalls (NGFW), secure web gateway, data leakage prevention (DLP), multi-factor authentication, along with centralized management, control and visibility across all network environments.
To summarize, meeting the NIS2 mandate requires a comprehensive approach to cybersecurity, one that involves a solid governance model, a coordinated approach to cybersecurity, robust incident response planning, collaboration, and ongoing training. By prioritizing cybersecurity, organizations can protect themselves and their customers from destructive cyber-attacks, improving resilience for critical services over time.
Etay Maor is the Senior Director of Security Strategy for Cato Networks. Previously, he was Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and an MA in counterterrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.
